The second Senate HELP Committee hearing on the proposed roles for implementing the electronic medical records provisions of the 21st Century Cures Act has taken place this week.

The Committee heard from National Coordinator for Health IT, Donald Rucker, and Director and Center for Medicare And Medicaid Services Chief Medical Officer, Kate Goodrich, M.D.

The hearings aim to find a way forward to ensure the efficient accessing and sharing of health information between care providers and patients.

The prevention of information blocking is one of the main goals. By allowing health information to flow freely between providers and be shared with patients, the cost of healthcare can be significantly reduced. According to Dr. Brett James of the National Academies, as much as 50% of the costs of healthcare are unnecessary. Patients are having to repeat tests because their information cannot be shared between different healthcare providers and there is considerable duplication of administrative tasks as a result of information blocking.

Earlier this year both the CMS and ONC proposed new rules to tackle the issue of information blocking, EHR usability, and patient empowerment. Goodrich explained that consumers need to put in the driving seat and be empowered to make decisions about their own healthcare. For that to happen, patients need easy access to their healthcare data. They can then pass that information on to whoever they wish.

The CMS and ONC’s proposed rules believe this goal can be largely achieved through the use of open APIs. APIs have been used in other industry sectors and have “transformed business after business after business,” according to Rucker.

Standards-based API technology should improve the sharing of healthcare data, although Rucker cautioned that for them to work, healthcare business practices that enable information blocking must be dismantled. Rucker suggests that rules preventing information blocking need to be implemented as soon as possible.

While progress needs to be made quickly, Committee Chair Sen. Lamar Alexander, R-Tennessee warned of moving too quickly and encountering similar problems to hose with Meaningful Use. “My major concern is to remind the administration of the advice that my piano teacher used to give me before a recital… Play it a little slower than you can play it, you’re less likely to make a mistake.”

Progress is being made. The CMS has already launched two initiatives (MyHealthEData and Blue Button 2.0) which will require Medicaid fee-for-service, managed care plans, Medicare Advantage Plans and others on the Federal Exchange to maintain secure APIs that allow individuals enrolled in those plans to easily access their own health information. It is hoped that developers will follow suit and build on the work that CMS/ONC has already done in this area.

While everyone wants the goals to be achieved, there is concern that the use of APIs could introduce privacy and security risks. These concerns were shared by Rucker and Goodrich, especially with respect to disclosures of health data to apps.

While apps will undoubtedly be required to receive health data and allow patients to share their health information with others, there are serious concerns as health apps are not well regulated. While there are some FTC regulations covering health apps, they are not covered by HIPAA requirements and are unlikely to be in the future.

If information is disclosed to the apps, patient privacy could be placed in jeopardy. Patients’ health data could be used by app developers and sold on to companies such as Facebook. Patients may not be aware of the implications of what could happen if their health data is disclosed to an app.

After disclosure to an app, healthcare organizations will not be liable for that data – as confirmed by the Office for Civil Rights recently – but patients could be exploited. What happens to data after it has been disclosed to an app is down to a contractual agreement between the patient and the app developer.

The reality is the uses and disclosures of patient data are likely to be hidden in a long list of T&Cs in app privacy policies, which may not be read or understood by patients. There are also few controls over what can be done with that information and how that information is secured.

“How data is secured and used in third-party apps illustrates a pressing issue that is currently part of a national discussion that extends beyond healthcare and into data privacy, stewardship, and regulatory interventions,” said Rucker. At present, patients need to “balance their selection and use of a health app with the potential risk of having negative implications.”

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.